Shelter Protocol

Integrated P2P Runtime

An open protocol for creating end-to-end encrypted, federated, user-friendly web applications. Defines a lightweight federated virtual machine based on signed, ordered "contract chains" (event logs) with E2E encryption primitives. The reference implementation is Chelonia (a JS framework). Group Income (voluntary basic income app) is the primary production use case. Governance: okTurtles Foundation (501(c)(3) non-profit).

Fully P2P Community Low capture risk
Links
Visit Community

Details

License AGPL / GPL-3.0 / MIT
Dev Status Beta
Owner okTurtles Foundation (501c3 non-profit)
Country USA
Start Year 2019
Stack JavaScript / TypeScript, VueJS 2.x, Hapi.js, WebSockets, SBP, WebAssembly sandbox for smart contract execution
Funding Grant, Donations
Last Investigated Mar 10, 2026

Use Case Domains

Communication Platform Evolution & Sovereignty Group Formation & Governance

Affordances

End-to-end encrypted Composable groups Self-hostable Consent-based governance

Integrated P2P Runtime Attributes

P2P Architecture Federated server model (servers relay contract chain messages to subscribers); clients store/reconstruct local state; servers cannot read encrypted payloads
Overlay Network None — uses existing HTTP/HTTPS + WebSockets; server federation via standard web protocols
Content Addressing Yes — BLAKE2b-256 CIDs (Base58 encoded) address all resources; shelter: URI scheme; first SPMessage in chain is CID of the contract
Local-First Partial — state reconstructed locally from replayed events; offline: events queued but requires server sync for propagation; state snapshots reduce replay cost
E2EE Yes — OP_ACTION_ENCRYPTED for encrypted actions; OP_KEY_ADD/OP_KEY_SHARE for key management; ZK sub-protocol for password salt retrieval without revealing password to server; unique keys per device optional; EdDSA/ECC primitives; cipher-agnostic by design for post-quantum upgrade path
CRDTs Lib No — uses ordered event logs (deterministic replay); no CRDT library
Byzantine Fault Tolerance No formal BFT — federated trust model; server operators are trusted; contracts upgradeable by authorized keys
Signature JWS-compatible signing (JSON Web Signatures); OP_KEY_ADD / OP_KEY_SHARE primitives; signingKeyId referenced per message; ECC (cipher-agnostic design)
Permissions Capability-based key authorization: each SPMessage references a signingKeyId and encryptionKeyId defined at contract creation; OP_KEY_ADD grants new keys (multi-device); OP_KEY_SHARE shares secrets between keys; role/function authorization model customizable per contract; server cannot override client-side key permissions
Semantic Web Compatability None — no RDF, JSON-LD, or linked data primitives
Smart Contract Yes — "contracts" are upgradeable programs (any language) that process OP_ACTION events against shared state; WebAssembly sandbox recommended; Contract Manifest defines versioned contract code; state transition defined per event type; analogous to OOP class/instance model
Protocol Stack Position Application layer — sits above TCP/IP and HTTP/WebSockets; provides encrypted federated application VM layer; comparable to ActivityPub at a higher abstraction level (application runtime vs. social protocol)
Asset / Value Embedding None — no native token or asset primitives in protocol
Development Tools Chelonia (JS/TS framework, AGPL-3.0) — reference implementation of Shelter Protocol for browser and Node.js; @chelonia/cli (chel) — CLI utility (TypeScript, AGPL-3.0); @chelonia/crypto, @chelonia/lib, @chelonia/serdes — npm packages; @sbp/sbp — Selector-based Programming micro-framework; Group Income codebase as reference application
Deployment Options Self-hosted server (Hapi.js); web app served separately from server (recommended for security — prevents malicious JS injection); Tauri for desktop app distribution; server stores encrypted contract chains; clients reconstruct state locally
Authentication & Identity Identity Contract (customizable per app): stores username, email, profile picture as E2E encrypted state; unique keypairs per device (EdDSA); ZK-based password/salt authentication without exposing password to server; OP_KEY_ADD for multi-device keyset management; no centralized identity registry
Storage Model Server-side append-only contract chain storage (encrypted blobs); client-side reconstructed application state; optional state snapshots every N messages for sync efficiency; CID-addressed immutable messages
Interoperability Low — Shelter Protocol is self-contained; no ActivityPub federation (despite conceptual borrowing); no DID/VC integration; shelter: URI scheme is custom; no standard identity or data portability interfaces
Social Graph Application-defined via contracts; no native social graph primitives; Group Income implements group membership via identity + group contracts
Protocol Maturity / Standardization Custom / Community spec — not submitted to any SDO; spec published at shelterprotocol.net; shelter: URI scheme documented informally; Chelonia is alpha/beta; Group Income in beta testing